Perfect 110 CMMC Score with Supplynet Inc.
CMMC Level 2 Certification Case Study
Supplynet Inc. — Perfect 110/110 Score on C3PAO Assessment with Zero Deficiencies
Overview
A defense supply chain contractor achieving CMMC Level 2 certification with a perfect score — setting a benchmark for small business compliance in the Defense Industrial Base.
Client
Supplynet Inc.
Industry
Defense Supply Chain — Valley Cottage, New York
Assessment Result
110 / 110 — Zero Deficiencies — All 14 Control Families Passed
When the Department of Defense began enforcing CMMC 2.0 requirements for contractors handling Controlled Unclassified Information (CUI), Supplynet Inc. recognized the need for a compliance partner who could deliver a certification-ready program from the ground up. With defense contracts at stake and no existing compliance infrastructure, Supplynet engaged Jaiglo LLC to build a complete CMMC Level 2 program and guide them through a successful C3PAO assessment.
Jaiglo conducted a full gap analysis, designed and implemented a purpose-built CUI enclave, developed a comprehensive System Security Plan (SSP) covering all 110 NIST SP 800-171 Rev 2 controls, deployed the complete security technology stack, and built a defensible documentation framework — from Incident Response Plans and Risk Assessments to evidence templates and audit-ready artifacts.
The result: Supplynet passed its C3PAO assessment with a <strong>perfect score of 110 out of 110</strong> — zero deficiencies, zero POA&M items, and full compliance across every control family. This positions Supplynet among a select group of small business DIB contractors to achieve CMMC Level 2 certification on the first attempt without a single finding.
Challenges
What We Delivered
No existing CMMC compliance infrastructure — policies, technical controls, and documentation needed to be built from scratch.
Built a complete CMMC Level 2 compliance program from the ground up, including a comprehensive SSP with implementation narratives for all 110 NIST SP 800‑171 controls.
Required a dedicated CUI enclave with appropriate boundary protections, access controls, and federal‑grade security tooling.
Designed and deployed a purpose‑built CUI enclave featuring Cisco Meraki MX67 for Government firewall, Cisco Duo Federal MFA, EventSentry 6.0 SIEM, Microsoft 365 GCC email, and Veeam v13 encrypted backup.
Needed audit‑ready documentation that would withstand scrutiny from a C3PAO assessor across all 14 control families.
Created a full compliance documentation suite — Incident Response Plan, Risk Assessment, tabletop exercises, Software Allow List, CUI handling procedures, asset inventories, and structured evidence packages.
Small business with limited IT staff needed a partner who could own both technical implementation and compliance strategy.
Served as full‑scope ESP/MSSP — handled architecture design, product deployment, configuration, policy authoring, and assessment preparation as a single point of accountability.
Results
Supplynet Inc. passed its CMMC Level 2 C3PAO assessment with a perfect score of 110/110 — zero deficiencies across all 14 control families. The company is now certified and positioned for continued eligibility on defense contracts requiring CUI handling. The engagement demonstrated that rigorous compliance is achievable for small businesses with the right strategic partnership and a commitment to security-first operations.
Key Deliverables
System Security Plan (SSP)
A comprehensive SSP documenting implementation narratives for all 110 NIST SP 800-171 Rev 2 controls, including assessment boundary definition, CUI data flows, system interconnections, and role-based responsibilities.
CUI Enclave Design & Deployment
Purpose-built CUI environment centered on a hardened Windows 11 workstation with Cisco Meraki MX67 for Government firewall, Cisco Duo Federal MFA, EventSentry 6.0 SIEM, Microsoft 365 GCC email, Veeam v13 encrypted backup, and Cisco Meraki MV13 physical surveillance.
Compliance Documentation Suite
Full policy and procedure framework including Incident Response Plan, Risk Assessment, tabletop exercise packages, Software Allow List, Approved Products List, asset inventory, CUI handling procedures, and structured evidence templates.
SIEM & Monitoring Configuration
EventSentry 6.0 deployed with alert policies mapped to CMMC AU control family requirements, including real-time event monitoring, audit log collection, and compliance reporting with OAuth/SMTP integration to Microsoft 365.
C3PAO Assessment Preparation
End-to-end assessment readiness support including evidence package assembly, control walkthrough preparation, and ongoing advisory through the assessment process — resulting in a perfect 110/110 outcome.
